CN116488811A - Method for dividing cipher boundary - Google Patents
Method for dividing cipher boundary Download PDFInfo
- Publication number
- CN116488811A CN116488811A CN202310739528.XA CN202310739528A CN116488811A CN 116488811 A CN116488811 A CN 116488811A CN 202310739528 A CN202310739528 A CN 202310739528A CN 116488811 A CN116488811 A CN 116488811A
- Authority
- CN
- China
- Prior art keywords
- dividing
- password
- boundary
- list
- cryptographic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 238000000638 solvent extraction Methods 0.000 claims abstract description 37
- 238000005516 engineering process Methods 0.000 claims abstract description 13
- 230000007246 mechanism Effects 0.000 claims description 36
- 230000007704 transition Effects 0.000 claims description 16
- 238000004364 calculation method Methods 0.000 claims description 10
- 230000008569 process Effects 0.000 claims description 9
- 238000010586 diagram Methods 0.000 claims description 8
- 230000006378 damage Effects 0.000 claims description 6
- 230000005540 biological transmission Effects 0.000 claims description 5
- 238000012360 testing method Methods 0.000 claims description 5
- 230000002776 aggregation Effects 0.000 claims description 4
- 238000004220 aggregation Methods 0.000 claims description 4
- 238000012544 monitoring process Methods 0.000 claims description 3
- 238000001514 detection method Methods 0.000 abstract description 4
- 238000005192 partition Methods 0.000 description 11
- 238000000576 coating method Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 239000011248 coating agent Substances 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 239000004575 stone Substances 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/36—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols with means for detecting characters not meant for transmission
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method for dividing a password boundary, and belongs to the technical field of passwords. A method of partitioning a cryptographic boundary, comprising: establishing a function list, a technology list and a component list of the dividing object; drawing a finite state of the dividing object; judging whether the dividing object meets preset conditions according to the function list, the technology list and the component list; if the dividing object meets the preset condition, dividing the password boundary of the dividing object according to a first preset mode and a second preset mode respectively; and collecting the division results of the first preset mode and the second preset mode and operating to obtain a final password boundary. The invention can make the code boundary division clear to the levels of parts, programs, files and codes, improves the accuracy of the code boundary division and can avoid the risk that the detection cannot pass due to inaccurate boundary division.
Description
Technical Field
The invention belongs to the technical field of passwords, and particularly relates to a dividing method of a password boundary.
Background
The password is a basic stone for protecting network security and data security, so whether the password is qualified directly influences the network and data security. The password has a hardware form, a software form, a firmware form and a mixed form formed by combining different forms. Furthermore, some passwords do not limit the usage scenario, while some passwords have limited usage scenarios, so that the usage scenario and the passwords are highly bound, and the boundary between the usage scenario and the passwords is difficult to clearly divide. The first step of detecting the password is to accurately divide the password boundary and then detect the part in the password boundary according to the corresponding technical standard and requirement, but no clear and accurate method for dividing the password boundary exists at present, so that various problems are brought to detection.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a method for dividing a password boundary.
The aim of the invention is realized by the following technical scheme: a method of partitioning a cryptographic boundary, comprising:
establishing a function list, a technology list and a component list of the dividing object;
drawing a finite state of the dividing object;
judging whether the dividing object meets preset conditions according to the function list, the technology list and the component list;
if the dividing object meets the preset condition, dividing the password boundary of the dividing object according to a first preset mode and a second preset mode respectively;
and collecting the division results of the first preset mode and the second preset mode and operating to obtain a final password boundary.
Further, the function list comprises a complete cryptographic function and/or service list which can be declared to be realized by the partition object, the technical list comprises technical standards for executing functions and services of the partition object and technical requirements for executing the functions and services of the partition object, and the component list comprises components to which the partition object is attached for realizing the cryptographic function and/or service.
Further, drawing the finite state of the partitioning object includes:
and drawing a finite state transition diagram and a finite state transition table, wherein the finite state comprises a power on/off state, an initialization state, a password administration state, a key security parameter data state, a user state, an approval state, a self-test state and an error state.
Further, judging whether the division object satisfies a preset condition according to the function list, the technology list and the component list, including:
checking technical standards and technical requirements one by one according to the technical list, judging whether all the declared password functions and/or services can be realized, and if not, the dividing objects do not meet preset conditions;
judging whether the dividing object has at least one function in the function list, at least one technical standard or technical requirement in the technical list and at least one component in the component list at the same time, if not, the dividing object does not meet the preset condition;
judging whether the division object has a finite state transition diagram and a finite state transition table, if not, the division object does not meet the preset condition;
judging whether the components in the component list meet the technical standards or technical requirements according to the technical list, if not, the dividing objects do not meet the preset conditions;
judging whether the function list comprises at least one of preset functions, if not, the dividing object does not meet the preset conditions;
judging whether the technical list comprises all the used cryptographic techniques, if not, the dividing object does not meet the preset condition;
judging whether the components in the component list contain all the components supporting the function list and the technical list, if not, the dividing object does not meet the preset condition.
Further, the first preset mode includes dividing the password boundary according to functions and finite states, and the second preset mode includes dividing at least one of the password boundary according to a supporting mechanism, dividing the password boundary according to a usage scenario, and dividing the password boundary according to sensitive security parameters.
Further, partitioning the cryptographic boundary by function and finite state includes:
according to the function list of the dividing object, the parts which directly participate in calculation and/or key management in the operation process are divided into cipher boundaries, and the parts which do not directly participate in calculation and/or key management in the operation process are divided into auxiliary parts;
and (3) operating one by one according to the limited state of the dividing object, and dividing the parts directly participated in the operation process into the password boundary.
Further, partitioning the cryptographic boundary according to a support mechanism includes:
dividing all mechanisms which serve to directly support the function and/or service provided by the dividing object into a password boundary;
dividing all measures corresponding to mechanisms for directly supporting and dividing objects to provide functions and/or services into password boundaries;
all mechanisms and corresponding measures playing a role in directly supporting the safety protection are marked into the password boundary.
Further, partitioning the cryptographic boundary according to the usage scenario includes:
collecting the scenes of the password application and the importance of the application scenes, and comparing the password standard to judge the security level which the password should define;
obtaining the data type of the scene input to the password, running a dividing object, deducing and/or monitoring the function of the data after entering the password, judging whether the data is directly used for password calculation and/or key management, if so, dividing the password input channel of the data into a password boundary, and dividing the scene into the password boundary or into an accessory part;
and changing the use scene, running the division object, judging whether the division object is specifically applied to the scene, and if the division object is a specific scene, dividing the scene into password boundaries or into auxiliary parts and limiting the use range of the password.
Further, partitioning the cryptographic boundary according to the sensitive security parameters includes:
identifying all sensitive security parameters involved in cryptographic computation and/or key management according to the function list, the support mechanism and the usage scenario;
dividing the parts supported by the generation or input, storage, transmission, use, backup, output, update and destruction of the sensitive security parameters into the password boundaries;
wherein the input and output, if a security mechanism is employed, are divided into cryptographic boundaries or into appendages.
Further, generating a final password boundary according to the division results of the plurality of preset modes includes:
and carrying out aggregation and operation on the division results of a plurality of preset modes to obtain a final password boundary.
The beneficial effects of the invention are as follows: the method is characterized in that a list and a finite state are established, and the password boundary is obtained by dividing the functions provided by the password, the supporting mechanism of the password operation, the scene of the password use and the sensitive security parameters of the password operation and comprehensively judging. The method can enable the password boundary division to be clear to the levels of a part, a program, a file and a code, improves the accuracy of the password boundary division, and can avoid the risk that detection cannot pass due to inaccurate boundary division. Meanwhile, the technical standard is considered due to the clear dividing route and basis, so that the subsequent standard of the password detection basis can be directly guided.
Drawings
FIG. 1 is a flow chart of a method for partitioning cryptographic boundaries according to one embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be clearly and completely described below with reference to the embodiments, and it is apparent that the described embodiments are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by a person skilled in the art without any inventive effort, are intended to be within the scope of the present invention, based on the embodiments of the present invention.
Referring to fig. 1, the present invention provides a method for dividing a cryptographic boundary:
as shown in fig. 1, a method for dividing a cryptographic boundary includes steps S100 to S500. The following is a detailed description.
And S100, establishing a function list, a technology list and a component list of the dividing object.
The function list includes a list of all cryptographic functions and/or services that the partitioning object claims to be enabled.
The technical list includes technical standards for dividing the function and service execution of the object, and technical requirements for dividing the function and service execution of the object.
The component manifest includes components, e.g., hardware, programs, code, files, etc., to which the partition object is attached to implement cryptographic functions and/or services, where the software and firmware are categorized as programs or code.
Generally, before establishing the function list, the technology list and the component list of the division object, the basic data of the division object of the mobile phone is required, for example: collecting technical and safety design data of the division object, and collecting all data of the division object if the technical and safety design data are absent; usage scenario data used by the partition objects is collected, including importance of usage scenarios and password requirements.
And S200, drawing the finite state of the dividing object.
In some embodiments, drawing a finite state of a partitioning object includes: and drawing a finite state transition diagram and a finite state transition table, wherein the finite state comprises a power on/off state, an initialization state, a password administration state, a key security parameter data state, a user state, an approval state, a self-test state and an error state.
If the partitioning object has other states in addition to the finite state, the other states should be drawn as well. Other states may be bypass states, inactive states, etc.
Specifically, a finite state transition diagram is drawn according to the data of the division object, and a finite state transition table is produced. Outputting a warning if the finite state is not available or the finite state is absent, and outputting a warning that the object to be divided is required to provide a basis for the support not available or absent; if no corresponding basis exists, the output warning is converted into an error.
And S300, judging whether the dividing object meets the preset condition according to the function list, the technology list and the component list.
In some embodiments, determining whether the partitioning object satisfies a preset condition according to the function list, the technology list, and the component list includes:
and S310, checking the technical standards and the technical requirements one by one according to the technical list, judging whether all the declared password functions and/or services can be realized, and if not, judging that the dividing objects do not meet the preset conditions.
When the partition object cannot realize all the declared cryptographic functions and/or services, an error is output and the error content is reminded. The partitioning object modifies the declared functions and services to be consistent with technical standards or requirements, otherwise the partitioning of the cryptographic boundary is terminated.
Step S320, judging whether the dividing object has at least one function in the function list, at least one technical standard or technical requirement in the technical list and at least one component in the component list at the same time, if not, the dividing object does not meet the preset condition.
An error is output when the division object does not satisfy "at least one function in the function list, at least one technical standard or technical requirement in the technical list, and at least one component in the component list". The partitioning object should be modified and then the cryptographic boundary re-partitioned, otherwise the partitioning of the cryptographic boundary is terminated.
S330, judging whether the division object has a finite state transition diagram and a finite state transition table, if not, the division object does not meet the preset condition.
When the division object does not have the finite state transition diagram and the finite state transition table, an error is output. The partitioning object should be modified and then the cryptographic boundary re-partitioned, otherwise the partitioning of the cryptographic boundary is terminated.
And S340, judging whether the components in the component list meet the technical standards or technical requirements according to the technical list, and if not, judging that the dividing objects do not meet the preset conditions.
When the components in the component list cannot all meet the technical standards or requirements, an error is output. The partitioning object should be modified and then the cryptographic boundary re-partitioned, otherwise the partitioning of the cryptographic boundary is terminated.
For example, the GM/T0028 code requirements for security two-level code requirements can be implemented with evidence of disassembly by using a tamper-evident coating or seal, and then the component should have a coating or seal that meets such requirements.
And S350, judging whether the function list comprises at least one of preset functions, and if not, judging that the dividing object does not meet the preset conditions.
The preset functions include block ciphers, stream ciphers, asymmetric ciphers, message authentication codes, hash functions, authentication, key management, random number generation and secure transmission.
When the function list does not include any one of the preset functions, an error is output, and the division of the password boundary is terminated. The step is repeated after the partition object is modified.
And S360, judging whether the technical list comprises all the used cryptographic technologies, and if not, judging that the dividing object does not meet the preset condition.
Specifically, it is determined whether the contents of the technical list are comprehensive, and the contents of the technical list are unlimited, but all the cryptographic techniques used should be included. If the technical list is not comprehensive, outputting a warning, and repeating the step after the dividing object is modified. If the partition object is not modified, the missing portion is deleted. The technical standards or requirements are as follows: ZUC, SM2, SM3, SM4, SM9, AES, SHA256, IPSec, SSL, etc.
And S370, judging whether the components in the component list contain all the components supporting the function list and the technical list, and if not, judging that the dividing object does not meet the preset condition.
If the technical list does not contain all the components supporting the function list and the technical list, a warning is output, and the step is repeated after the dividing object is modified. If the partition object is not modified, the missing portion is deleted. The contents of the components include a random number generator, a security chip, a password card, a circuit, a program, a code, a file and the like.
And S400, if the dividing object meets the preset condition, dividing the password boundary of the dividing object according to the first preset mode and the second preset mode.
In some embodiments, the first predetermined manner includes dividing the cryptographic boundary by function and finite state, and the second predetermined manner includes at least one of dividing the cryptographic boundary by a support mechanism, dividing the cryptographic boundary by a usage scenario, and dividing the cryptographic boundary by a sensitive security parameter.
In some embodiments, partitioning cryptographic boundaries by function and finite state includes:
and (3) operating one by one according to the function list of the dividing object, dividing the parts directly participating in calculation and/or key management in the operation process into the password boundary, and dividing the parts not directly participating in calculation and/or key management in the operation process into auxiliary parts. For components that directly participate in computation and/or key management, either a single component or multiple independent components are partitioned into cryptographic boundaries; the channel between the individual components or the component on which the information is transferred should be drawn into the cryptographic boundary. For components that do not directly support cryptographic computation and/or key management, they may or may not be partitioned into cryptographic boundaries. Such as an operating system, computing platform, database, if not partitioned into cryptographic boundaries, into appendages.
And (3) operating one by one according to the limited state of the dividing object, and dividing the parts directly participated in the operation process into the password boundary. For directly participating components, either a single component or multiple independent components, are partitioned into cryptographic boundaries.
In some embodiments, partitioning the cryptographic boundary in accordance with a support mechanism includes:
all mechanisms that serve to directly support the functionality and/or services provided by the partitioning object, and measures corresponding to the mechanisms, are partitioned into cryptographic boundaries. The method specifically comprises the following steps: mechanisms for displaying password information, such as a screen and an interface for displaying version numbers, and corresponding programs, codes and files; a mechanism for displaying the state of the password, such as displaying a normal or abnormal screen, a part for sounding a beep for reminding of the abnormality, and a corresponding program, code, file; physical hardware and ports, software and interfaces for information input and output supporting password calculation and/or key management, such as a keyboard for inputting PIN codes, a screen or a software interface for displaying input reminders, and corresponding programs, codes and files; other mechanisms and measures directly supporting the password operation and corresponding programs, codes and files; the power and connection lines may be drawn into the code boundary, e.g., plug, battery, if not into the code boundary, into the appendages.
All mechanisms and corresponding measures playing a role in directly supporting the safety protection are marked into the password boundary. The method specifically comprises the following steps: (1) Mechanisms and measures to prevent physical damage, environmental failure protection; such as physical hardware shells to prevent physical damage, high temperature failure protection measures, and corresponding programs, code, files. (2) Mechanisms and measures to make the transmission of cryptographic internal sensitive information a secure channel; such as cryptographic protocols and attached components, as well as corresponding programs, code, files. (3) A mechanism for maintaining passwords, and an authentication mechanism and measures for maintaining password personnel; such as authentication modes and attached components required by password initialization, password configuration and the like, a screen, a keyboard and an interface for inputting authentication identity information, and corresponding programs, codes and files. (4) The cryptographic internal software and/or firmware integrity and mechanisms and measures are protected, such as cryptographic hash algorithm programs, codes, files, digital signature and verification programs, codes, files. (5) Sensitive security parameter management, including a mechanism and a measure for generating random numbers, and a mechanism and a measure for establishing, inputting and outputting, storing and zeroing sensitive security parameters; such as a random number generator for generating random numbers, a computing parameter, a medium in which sensitive security parameters are stored, and corresponding programs, codes, files. (6) The mechanism and means for storing the sensitive security parameter ciphertext may not fall within the cryptographic boundary, if not divided into the cryptographic boundary, it is divided into the appendages. (7) Mechanisms and measures for self-testing, and programs and/or codes and files for executing the self-test. (8) mechanisms and measures to prevent side channel attacks; such as programs, code, files that are executed out of order, coatings that shield electromagnetic leakage, and corresponding programs, code, files. (9) The functions and/or services not provided by the password in steps (1) to (7) may be absent. (10) In the step (1), if a physical hardware shell with the function of preventing physical damage wraps all the components, the hardware shell is taken as a password boundary; for example, the chassis of the server cipher machine and the Ukey matched with the chassis are used as cipher boundaries; if there is a hardware component that is not wrapped by a hardware shell that is protective, the wrapped hardware shell and the unwrapped hardware component together serve as a cryptographic boundary, and the software and firmware carried by the unwrapped hardware shell-free component is also scored into the cryptographic boundary. (11) If the partition object is composed of a program, a code and a file, and does not have hardware, the program, the code and the file which realize functions, finite states, support and safety protection are used as a password boundary.
In some embodiments, partitioning the cryptographic boundary by use scenario includes:
and collecting the scenes of the password application and the importance of the application scenes, and comparing the password standard to judge the security level which the password should define. For example, the password product refers to the password module security technical requirements, and the password application refers to the information system password application basic requirements.
The method comprises the steps of obtaining the data type of the scene input to the password, running a dividing object, deducting and/or monitoring the function of the data after entering the password, judging whether the data is directly used for password calculation and/or key management, if so, dividing the password input channel of the data into a password boundary, and dividing the scene into the password boundary or into an accessory part.
And changing the use scene, running the division object, judging whether the division object is specifically applied to the scene, and if the division object is a specific scene, dividing the scene into password boundaries or into auxiliary parts and limiting the use range of the password.
In some embodiments, partitioning the cryptographic boundary according to the sensitive security parameters includes:
all sensitive security parameters involved in cryptographic computation and/or key management are identified from the function list, support mechanism and usage scenario.
Dividing the parts supported by the generation or input, storage, transmission, use, backup, output, update and destruction of the sensitive security parameters into the password boundaries; wherein the input and output, if a security mechanism is employed, are divided into cryptographic boundaries or into appendages.
S500, collecting and operating the division results of the first preset mode and the second preset mode to obtain a final password boundary.
In some embodiments, generating the final cryptographic boundary according to the partitioning result of the plurality of preset modes includes: and carrying out aggregation and operation on the division results of a plurality of preset modes to obtain a final password boundary.
For example, a password boundary obtained by dividing the password boundary according to the function and the finite state is denoted as a first password boundary, a password boundary obtained by dividing the password boundary according to the support mechanism is denoted as a second password boundary, a password boundary obtained by dividing the password boundary according to the use scene is denoted as a third password boundary, and a password boundary obtained by dividing the password boundary according to the sensitive security parameter is denoted as a fourth password boundary. The first password boundary, the second password boundary, the third password boundary and the fourth password boundary are integrated and operated to obtain a final password boundary, and the accuracy of the obtained final password boundary is first; and carrying out aggregation and operation on the first password boundary and one or two of the second password boundary, the third password boundary and the fourth password boundary to obtain a final password boundary, wherein the accuracy of the obtained final password boundary is second.
And finally outputting a final password boundary, the accuracy of the password boundary, a function list, a technical list, a component list and the like of the dividing object.
The foregoing is merely a preferred embodiment of the invention, and it is to be understood that the invention is not limited to the form disclosed herein but is not to be construed as excluding other embodiments, but is capable of numerous other combinations, modifications and environments and is capable of modifications within the scope of the inventive concept, either as taught or as a matter of routine skill or knowledge in the relevant art. And that modifications and variations which do not depart from the spirit and scope of the invention are intended to be within the scope of the appended claims.
Claims (10)
1. A method for partitioning a cryptographic boundary, comprising:
establishing a function list, a technology list and a component list of the dividing object;
drawing a finite state of the dividing object;
judging whether the dividing object meets preset conditions according to the function list, the technology list and the component list;
if the dividing object meets the preset condition, dividing the password boundary of the dividing object according to a first preset mode and a second preset mode respectively;
and collecting the division results of the first preset mode and the second preset mode and operating to obtain a final password boundary.
2. A method of partitioning cryptographic boundaries according to claim 1 wherein the function manifest comprises a manifest of all cryptographic functions and/or services that the partitioning object declares to be enabled, the technical manifest comprising technical criteria for the execution of the functions and services of the partitioning object and technical requirements for the execution of the functions and services of the partitioning object, the manifest of components comprising components to which the partitioning object is attached to enable cryptographic functions and/or services.
3. The method of claim 1, wherein drawing the finite state of the partitioning object comprises:
and drawing a finite state transition diagram and a finite state transition table, wherein the finite state comprises a power on/off state, an initialization state, a password administration state, a key security parameter data state, a user state, an approval state, a self-test state and an error state.
4. The method according to claim 1, wherein determining whether the division object satisfies a predetermined condition based on the function list, the technology list, and the component list, comprises:
checking technical standards and technical requirements one by one according to the technical list, judging whether all the declared password functions and/or services can be realized, and if not, the dividing objects do not meet preset conditions;
judging whether the dividing object has at least one function in the function list, at least one technical standard or technical requirement in the technical list and at least one component in the component list at the same time, if not, the dividing object does not meet the preset condition;
judging whether the division object has a finite state transition diagram and a finite state transition table, if not, the division object does not meet the preset condition;
judging whether the components in the component list meet the technical standards or technical requirements according to the technical list, if not, the dividing objects do not meet the preset conditions;
judging whether the function list comprises at least one of preset functions, if not, the dividing object does not meet the preset conditions;
judging whether the technical list comprises all the used cryptographic techniques, if not, the dividing object does not meet the preset condition;
judging whether the components in the component list contain all the components supporting the function list and the technical list, if not, the dividing object does not meet the preset condition.
5. The method of claim 1, wherein the first predetermined manner comprises dividing the cryptographic boundary by function and finite state, and the second predetermined manner comprises at least one of dividing the cryptographic boundary by a support mechanism, dividing the cryptographic boundary by a usage scenario, and dividing the cryptographic boundary by a sensitive security parameter.
6. The method of claim 5, wherein partitioning the cryptographic boundary according to function and finite state comprises:
according to the function list of the dividing object, the parts which directly participate in calculation and/or key management in the operation process are divided into cipher boundaries, and the parts which do not directly participate in calculation and/or key management in the operation process are divided into auxiliary parts;
and (3) operating one by one according to the limited state of the dividing object, and dividing the parts directly participated in the operation process into the password boundary.
7. The method of claim 5, wherein the partitioning of the cryptographic boundary according to the support mechanism comprises:
dividing all mechanisms which serve to directly support the function and/or service provided by the dividing object into a password boundary;
dividing all measures corresponding to mechanisms for directly supporting and dividing objects to provide functions and/or services into password boundaries;
all mechanisms and corresponding measures playing a role in directly supporting the safety protection are marked into the password boundary.
8. The method of claim 5, wherein the dividing the cryptographic boundary according to the usage scenario comprises:
collecting the scenes of the password application and the importance of the application scenes, and comparing the password standard to judge the security level which the password should define;
obtaining the data type of the scene input to the password, running a dividing object, deducing and/or monitoring the function of the data after entering the password, judging whether the data is directly used for password calculation and/or key management, if so, dividing the password input channel of the data into a password boundary, and dividing the scene into the password boundary or into an accessory part;
and changing the use scene, running the division object, judging whether the division object is specifically applied to the scene, and if the division object is a specific scene, dividing the scene into password boundaries or into auxiliary parts and limiting the use range of the password.
9. The method of claim 5, wherein partitioning the cryptographic boundary according to the sensitive security parameter comprises:
identifying all sensitive security parameters involved in cryptographic computation and/or key management according to the function list, the support mechanism and the usage scenario;
dividing the parts supported by the generation or input, storage, transmission, use, backup, output, update and destruction of the sensitive security parameters into the password boundaries;
wherein the input and output, if a security mechanism is employed, are divided into cryptographic boundaries or into appendages.
10. The method of claim 1, wherein generating the final cryptographic boundary based on the partitioning results of the plurality of predetermined modes comprises:
and carrying out aggregation and operation on the division results of a plurality of preset modes to obtain a final password boundary.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310739528.XA CN116488811B (en) | 2023-06-21 | 2023-06-21 | Method for dividing cipher boundary |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310739528.XA CN116488811B (en) | 2023-06-21 | 2023-06-21 | Method for dividing cipher boundary |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116488811A true CN116488811A (en) | 2023-07-25 |
| CN116488811B CN116488811B (en) | 2023-09-05 |
Family
ID=87219926
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310739528.XA Active CN116488811B (en) | 2023-06-21 | 2023-06-21 | Method for dividing cipher boundary |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116488811B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170041296A1 (en) * | 2015-08-05 | 2017-02-09 | Intralinks, Inc. | Systems and methods of secure data exchange |
| US20200084021A1 (en) * | 2018-09-07 | 2020-03-12 | Korea University Research And Business Foundation | Apparatus and method for block ciphers for real-time data transmission |
| CN114024767A (en) * | 2021-11-25 | 2022-02-08 | 郑州信大信息技术研究院有限公司 | Password-defined network security system construction method, system architecture and data forwarding method |
| CN114866228A (en) * | 2022-03-24 | 2022-08-05 | 北京安御道合科技有限公司 | Method, system, storage medium and terminal for realizing soft password module |
| CN115630355A (en) * | 2022-10-31 | 2023-01-20 | 鼎铉商用密码测评技术(深圳)有限公司 | Security evaluation method and device for cryptographic module and storage medium |
| CN116232593A (en) * | 2023-05-05 | 2023-06-06 | 杭州海康威视数字技术股份有限公司 | Multi-password module sensitive data classification and protection method, equipment and system |
| CN116260595A (en) * | 2023-05-15 | 2023-06-13 | 豪符密码检测技术(成都)有限责任公司 | Cloud password detection method and system |
-
2023
- 2023-06-21 CN CN202310739528.XA patent/CN116488811B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170041296A1 (en) * | 2015-08-05 | 2017-02-09 | Intralinks, Inc. | Systems and methods of secure data exchange |
| US20200084021A1 (en) * | 2018-09-07 | 2020-03-12 | Korea University Research And Business Foundation | Apparatus and method for block ciphers for real-time data transmission |
| CN114024767A (en) * | 2021-11-25 | 2022-02-08 | 郑州信大信息技术研究院有限公司 | Password-defined network security system construction method, system architecture and data forwarding method |
| CN114866228A (en) * | 2022-03-24 | 2022-08-05 | 北京安御道合科技有限公司 | Method, system, storage medium and terminal for realizing soft password module |
| CN115630355A (en) * | 2022-10-31 | 2023-01-20 | 鼎铉商用密码测评技术(深圳)有限公司 | Security evaluation method and device for cryptographic module and storage medium |
| CN116232593A (en) * | 2023-05-05 | 2023-06-06 | 杭州海康威视数字技术股份有限公司 | Multi-password module sensitive data classification and protection method, equipment and system |
| CN116260595A (en) * | 2023-05-15 | 2023-06-13 | 豪符密码检测技术(成都)有限责任公司 | Cloud password detection method and system |
Non-Patent Citations (5)
| Title |
|---|
| RAHAMAN S 等: "Cryptoguard:High precision detection of cryptographic vulnerabilities in massive-sized java projects", PROCEEDINGS OF THE 2019 ACM SIGSAC CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY * |
| 李波;王健光;: "信息安全的密码学与密匙管理", 电脑知识与技术, no. 35 * |
| 王九林;夏潇;王一帆;: "密码服务平台的设计与实现", 北京电子科技学院学报, no. 04 * |
| 陶建军;张继永;罗云鹏;: "联合作战密钥分发架构设计", 通信技术, no. 05 * |
| 魏荣 等: "密码应用安全技术研究及软件密码模块检测的讨论", 密码学报, no. 03 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116488811B (en) | 2023-09-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103905461B (en) | Cloud service behavior trustworthiness attestation method and system based on trusted third party | |
| CN107391298A (en) | State data memory detection method, device and computer-readable recording medium | |
| CN111898148A (en) | Information supervision method and device based on block chain | |
| CN109978688A (en) | The access control method and its contract generator and server of distributed common recognition system | |
| KR102162044B1 (en) | The Method for User Authentication Based on Block Chain and The System Thereof | |
| CN107133520A (en) | The credible measurement method and apparatus of cloud computing platform | |
| CN107609410A (en) | Android system data guard method, terminal device and storage medium based on HOOK | |
| CN106547648A (en) | Backup data processing method and device | |
| CN110598377A (en) | Software serial number management method and device based on block chain | |
| CN109117643A (en) | The method and relevant device of system processing | |
| CN106354550A (en) | Method, device and system for protecting security of virtual machine | |
| CN110347678B (en) | Financial data storage method, system, device and equipment | |
| CN104965701B (en) | Obtain the method and device of application message | |
| CN116488811B (en) | Method for dividing cipher boundary | |
| CN111176567B (en) | Storage supply verification method and device for distributed cloud storage | |
| CN111222181B (en) | AI model supervision method, system, server and storage medium | |
| CN106888094B (en) | A kind of endorsement method and server | |
| CN116663026B (en) | Block chain-based data processing method and device, electronic equipment and medium | |
| CN106372523A (en) | Modem file safety protection method and system | |
| CN105933303A (en) | File tempering detection method and device | |
| CN111723379B (en) | Trusted protection method, system, equipment and storage medium for trusted platform area intelligent terminal | |
| CN115659346A (en) | Function testing method and device for multi-party secure computing platform | |
| CN111190824B (en) | Monitoring method, device, terminal equipment and storage medium | |
| CN109922056A (en) | Data safety processing method and its terminal, server | |
| CN111552985B (en) | Information verification method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |